001/**
002 * Licensed to the Apache Software Foundation (ASF) under one or more
003 * contributor license agreements.  See the NOTICE file distributed with
004 * this work for additional information regarding copyright ownership.
005 * The ASF licenses this file to You under the Apache License, Version 2.0
006 * (the "License"); you may not use this file except in compliance with
007 * the License.  You may obtain a copy of the License at
008 *
009 *      http://www.apache.org/licenses/LICENSE-2.0
010 *
011 * Unless required by applicable law or agreed to in writing, software
012 * distributed under the License is distributed on an "AS IS" BASIS,
013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014 * See the License for the specific language governing permissions and
015 * limitations under the License.
016 */
017package org.apache.activemq.util;
018
019import java.io.IOException;
020import java.nio.file.FileSystems;
021
022import javax.servlet.Filter;
023import javax.servlet.FilterChain;
024import javax.servlet.FilterConfig;
025import javax.servlet.ServletException;
026import javax.servlet.ServletRequest;
027import javax.servlet.ServletResponse;
028import javax.servlet.http.HttpServletRequest;
029import javax.servlet.http.HttpServletRequestWrapper;
030
031import org.slf4j.Logger;
032import org.slf4j.LoggerFactory;
033
034
035public class FilenameGuardFilter implements Filter {
036
037    private static final Logger LOG = LoggerFactory.getLogger(FilenameGuardFilter.class);
038    
039    public void destroy() {
040        // nothing to destroy
041    }
042
043    public void init(FilterConfig config) throws ServletException {
044        // nothing to init
045    }
046
047    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
048        if (request instanceof HttpServletRequest) {
049            HttpServletRequest httpRequest = (HttpServletRequest)request;
050            GuardedHttpServletRequest guardedRequest = new GuardedHttpServletRequest(httpRequest);
051            chain.doFilter(guardedRequest, response);
052        } else {
053            chain.doFilter(request, response);
054        }
055    }
056
057    private static class GuardedHttpServletRequest extends HttpServletRequestWrapper {
058
059        public GuardedHttpServletRequest(HttpServletRequest httpRequest) {
060            super(httpRequest);
061        }
062
063        private String guard(String filename) {
064            String guarded = filename.replace(":", "_");
065            guarded = FileSystems.getDefault().getPath(guarded).normalize().toString();
066            if (LOG.isDebugEnabled()) {
067                LOG.debug("guarded " + filename + " to " + guarded);
068            }
069            return guarded;
070        }
071
072        @Override
073        public String getParameter(String name) {
074            if (name.equals("Destination")) {
075                return guard(super.getParameter(name));
076            } else {
077                return super.getParameter(name);
078            }
079        }
080
081        @Override
082        public String getPathInfo() {
083            return guard(super.getPathInfo());
084        }
085
086        @Override
087        public String getPathTranslated() {
088            return guard(super.getPathTranslated());
089        }
090
091        @Override
092        public String getRequestURI() {
093            return guard(super.getRequestURI());
094        }
095    }
096}